i. emergency contact persons ii. firm policy€¦ · business continuity plan i. emergency contact...
TRANSCRIPT
WAYCROSS INVESTMENT MANAGEMENT COMPANY Business Continuity Plan I. Emergency Contact Persons
Our firm’s two emergency contact persons are: Michael Ryan, 360-319-8350, [email protected] and L Hart Hodges, 360-927-6013, [email protected]. These names will be updated in the event of a material change, and our Executive Representative will review them within 17 business days of the end of each year, or when one of Contact Persons leaves the firm. II. Firm Policy
Our firm’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and firm property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the firm’s books and records, and allowing our Clients to transact business. Clients always have immediate access to their funds and securities held in custody by a third party custodian. In the event that we determine we are unable to continue our business, we will inform our Clients.
A. Significant Business Disruptions (SBDs)
Our plan anticipates two kinds of SBDs, internal and external. Internal SBDs affect only our firm’s ability to communicate and do business, such as a fire in our building. External SBDs prevent the operation of the securities markets or a number of firms, such as a terrorist attack, a city flood, or a wide-scale, regional disruption. Our response to an external SBD relies more heavily on other organizations and systems, especially on the capabilities of the third party custodians of clients’ securities and funds.
B. Approval and Execution Authority
Michael Ryan, President, a registered principal, is responsible for approving the plan and for conducting the required annual review. L. Hart Hodges, Vice President, has the authority to execute this BCP.
C. Plan Location and Access
Our firm will maintain copies of its BCP and the annual reviews, and the changes that have been made to it for inspection. An electronic copy of our plan is located on (\\WAYCROSSSERVER\shares) (H:) (Compliance).
III. Succession Planning
A. Principals
If Michael Ryan, a registered principal, becomes incapacitated or perishes, all business operations fall to the secondary principal, L. Hart Hodges. If L. Hart Hodges, a registered principal, becomes incapacitated or perishes, all business operations fall to the primary principal, Michael Ryan. If both principals become incapacitated or perish, all business operations fall to the primary advisor, David Schneider.
B. Office Manager
If Diana Parrott, the office manager, becomes incapacitated or perishes, Waycross will make every best effort to immediately fill the position of office manager. In the interim, the operations manager, Anne Young, will fill the position. The office manager will have administrative manuals to refer to if such an event occurs, so that Waycross may continue its operations, business as usual. IV. Business Description
Our firm conducts business in equity, fixed income, and mutual fund securities. Our firm is an investment advisor and does not perform any type of clearing function for itself or others. Furthermore, we do not hold customer funds or securities. We enter orders. All transactions are sent to our clients’ custodian firm, which executes our orders, compares them, allocates them, clears and settles them. Our clearing firm also maintains our Clients’ accounts, can grant Clients access to those accounts, and delivers funds and securities. Our firm services retail Clients and Institutional Clients. We do not engage in any private placements. Our clearing firm is: Charles Schwab & Co., Inc. P.O. Box 52013 Phoenix, AZ 85072 1.888.306.7327 www.schwabinstitutional.com and our contact person at that clearing firm is the Northwest ISG Team: phone - 1.877.716.0849; e-mail: [email protected].
Certain clients may have assets in custody at additional clearing firms, where Waycross receives account information to include in that client’s reports. The firms currently associated with those clients are as follows: PNC Investments, LLC 1900 East Ninth Street Cleveland, OH 44114 1.800.622.7086 Sterling Trust Equity Institutional P.O. Box 20608 Waco, TX 76702 1.866.958.9054 [email protected] V. Office Locations
Our Firm has offices located at 119 North Commercial Street, Suite 191, Bellingham, Washington. Its main telephone number is 360-671-0148. Our employees may travel to that office by means of foot, car, bus, or bicycle. We engage in the following mission critical systems at this location: order taking and entry, comparison, allocation, and maintenance of Client accounts. VI. Alternative Physical Location(s) of Employees
In the event of an internal SBD that precludes the use of our primary office location, we will move our staff from affected offices to each staff member’s respective home, working remotely. The main telephone number(s) to contact will be the Advisor’s personal cellular phone numbers, and will be mass-distributed to all clients via electronic communication. VII. Clients’ Access to Funds and Securities
Our firm does not maintain custody of Clients’ funds or securities, which are maintained at our clearing firm, Charles Schwab and Co, and PNC Investments, LLC and Sterling Trust Equity Institutional for select Clients. In the event of an internal or external SBD, clients may access their securities and funds by directly contacting the above-noted clearing firms. The firm(s) will make this information available to Clients through its disclosure policy.
VIII. Data Back-Up and Recovery (Hard Copy and Electronic)
Our firm maintains its primary hard copy books and records and its electronic records at 119 North Commercial Street, suite 191, Bellingham, Washington. Michael Ryan, President, 360-671-0148, is responsible for the maintenance of these books and records. Our firm maintains the following document types and forms that are not transmitted to our clearing firm: Investment Policy Statement, Investment Advisory Agreement, and any agreements with our Clients not pertaining to the clearing firm(s). The firm backs up its electronic records daily by way of Google Drive and iBackup. Off-site backup occurs every day on an automatic schedule. In the event of an internal or external SBD that causes the loss of our paper records, we will physically recover them from our electronic back-up or by utilizing the custodian firm’s back-up. If our primary site is inoperable, we will continue operations from our alternate location(s) listed in Section V, until such time that we secure an alternate primary site. IX. Financial and Operational Assessments
A. Operational Risk
In the event of an SBD, we will immediately identify what means will permit us to communicate with our clients, employees, critical business constituents, critical banks, critical counter-parties, and regulators. Although the effects of an SBD will determine the means of alternative communication, the communications options we will employ will include our website, telephone voice mail, and e-mail. In addition, we will retrieve our key activity records as described in the section above, Data Back-Up and Recovery (Hard Copy and Electronic).
B. Financial and Credit Risk
In the event of an SBD, we will evaluate our ability to continue to fund our operations. We will contact our clearing firm, critical banks, and investors to apprise them of our financial status. X. Mission Critical Systems
Our firm’s “mission critical systems” are those that ensure prompt and accurate processing of securities transactions, including order entry, confirmation of execution, comparison, allocation, the maintenance of client accounts, and access to client accounts. More specifically, these systems include:
Junxure – customer relationship management program Axys – portfolio accounting program Charles Schwab & Co., Inc. - custodial data
We have primary responsibility for establishing and maintaining our business relationships with our Clients and have sole responsibility for our mission critical functions of order taking and entry. Our clearing firms provides, through contract, the execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts, and the delivery of funds and securities. Our clearing firm represents that it backs up our records at a remote or out-of-region site. Our clearing firm represents that it operates a back-up operating facility in a geographically separate area with the capability to conduct the same volume of business as its primary site. Our clearing firm has also confirmed the effectiveness of its back-up arrangements to recover from a wide scale disruption by testing. Recovery-time objectives provide concrete goals to plan for and test against. They are not, however, hard and fast deadlines that must be met in every emergency situation, and various external factors surrounding a disruption, such as time of day, scope of disruption, and status of critical infrastructure—particularly telecommunications—can affect actual recovery times. Recovery refers to the restoration of clearing and settlement activities after a wide-scale disruption; resumption refers to the capacity to accept and process new transactions and payments after a wide-scale disruption. Our clearing firm makes every best effort to mitigate reasonable risk of service interruption and in the event of a SBD, the recovery time and resumption objectives of our clearing firm are to resume regular business as soon as possible given the implementation of geographically diverse service centers allowing rapid transfer of work to alternate locations.
A. Our Firm’s Mission Critical Systems
1. Order Taking
Currently, our firm receives negligible orders from Clients. Orders are received via telephone, fax, e-mail, or in person visits by the customer. During an SBD, either internal or external, we will continue to take orders through any of these methods that are available and reliable, and in addition, as communications permit, we will inform our Clients when communications become available to tell them what alternatives they have to send their orders to us. If necessary, we will advise our Clients to place orders directly with our clearing firm.
2. Order Entry
Currently, our firm enters orders by recording them electronically and sending them to our clearing firm electronically or telephonically. In the event of an internal SBD, we will enter and send records to our clearing firm by the fastest alternative means available. In the event of an external SBD, we will maintain the order in electronic or paper format, and deliver the order to the clearing firm by the fastest means available when it resumes operations. In addition, during an internal SBD, we may direct our Clients to deal directly with our clearing firm for order entry.
B. Mission Critical Systems Provided by Our Clearing Firm
Our firm relies, by contract, on our clearing firm to provide order execution, order comparison, order allocation, and the maintenance of customer accounts, delivery of funds and securities, and access to customer accounts. XI. Alternate Communications Between the Firm and Clients, Employees, and Regulators
A. Clients
We now communicate with our Clients using telephone, e-mail, U.S. mail, and in-person visits at our firm. In the event of an SBD, we will assess which means of communication are still available to us, and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party. For example, if we have communicated with a party by e-mail but the Internet is unavailable, we will call them on the telephone and follow up where a record is needed with paper copy in the U.S. mail. B. Employees We now communicate with our employees using the telephone, e-mail, and in person. In the event of an SBD, we will assess which means of communication are still available to us, and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party. We will also employ a call tree so that senior management can reach all employees quickly during an SBD. The call tree includes all staff home and office phone numbers. We have identified persons, noted below, who live near each other and may reach each other in person: The person(s) to invoke use of the call tree is: Michael F. Ryan, or L. Hart Hodges.
Caller Call Recipients
Michael F. Ryan L. Hart Hodges, David Schneider, Anne Young,
Diana Parrott
L. Hart Hodges Michael Ryan, David Schneider, Anne Young, Diana Parrott
C. Regulators We are currently registered with the State of Washington. We communicate with our regulators using the telephone, e-mail, U.S. mail, and in person. In the event of an SBD, we will assess which means of communication are still available to us, and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party. XII. Critical Business Constituents, Banks, and Counter-Parties
A. Business constituents
We have contacted our critical business constituents (businesses with which we have an ongoing commercial relationship in support of our operating activities, such as vendors providing us critical services), and determined the extent to which we can continue our business relationship with them in light of the internal or external SBD. We will quickly establish alternative arrangements if a business constituent can no longer provide the needed goods or services when we need them because of a SBD to them or our firm.
Junxure – customer relationship management program o 3651 Trust Drive
Raleigh, NC 27616 1.866.586.9873
Axys o 600 Townsend Street, 5th Floor
San Francisco, CA 94103 1.415.543.7696
Charles Schwab & Co., Inc. o P.O. Box 52013
Phoenix, AZ 85072 1.888.306.7327
iBackup o 26115 Mureau Road, Suite A
Calabasas, CA 91302 1.818.878.9208
Zipper Computer o 4500 9th Ave. NE, Suite 300
Seattle, WA 98105 360.631.7447
Litzia, LLC o 314 E. Holly St. #205
Bellingham, WA 98225 360.714.0565
Summit Bookkeeping o 1530 Birchwood Ave., Ste. D
Bellingham, WA 98225 360.671.0244
Baron Telecommunications o 1204 Railroad Ave. #101
Bellingham, WA 98225 360.734.5082
Oasys o 1575 Port Drive
Burlington, WA 98233 360.755.0309
Compliance Consultants, LLC o 1825 72nd Ave. SE
Mercer Island, WA 98040 425.765.6427
Smarsh o 75 Broad Street, Suite 306
New York, NY 10004 1.866.762.7741
Comcast Business Class o 1.800.391.3000
Metcalf Hodges, PS
o 709 Dupont Street Bellingham, WA 98225 360.733.1010
B. Banks
We do not currently rely on banks for any financing of our operations. All operations have been, and are expected to continue to be financed by the operators of our firm. The bank maintaining our operating account and proprietary account is: Peoples Bank 1333 Cornwall Avenue Bellingham, WA 98225 1.800.584.8859 www.peoplesbank-wa.com If our banks and other lenders are unable to provide the financing, we will seek alternative financing immediately from: Charles Schwab & Co., Inc. P.O. Box 52013 Phoenix, AZ 85072 1.888.306.7327
XIII. Regulatory Reporting
Our firm is subject to regulation by the State of Washington. We now file reports with our regulators using paper copies in the U.S. mail, and electronically using e-mail, and the Internet. In the event of an SBD, we will check with the State of Washington, and other regulators to determine which means of filing are still available to us, and use the means closest in speed and form (written or oral) to our previous filing method. In the event that we cannot contact our regulators, we will continue to file required reports using the communication means available to us. Our firm will update this plan whenever we have a material change to our operations, structure, business or location or to those of our clearing firm. In addition, our firm will review this BCP annually, in the third quarter of each year, to modify it for any changes in our operations, structure, business, or location or those of our clearing firm. XIV. Senior Manager Approval
I have approved this Business Continuity Plan as reasonably designed to enable our firm to meet its obligations to Clients in the event of an SBD. Signed: _______________________________ Printed: _______________________________ Title: _______________________________ Date: _______________________________
WAYCROSS INVESTMENT MANAGEMENT COMPANY SUCCESSION PLAN
I. Succession Planning
A. Principals
If Michael Ryan, a registered principal, becomes incapacitated or perishes, all business operations fall to the secondary principal, L. Hart Hodges. If L. Hart Hodges, a registered principal, becomes incapacitated or perishes, all business operations fall to the primary principal, Michael Ryan. If both principals become incapacitated or perish, all business operations fall to the primary advisor, David Schneider.
B. Office Manager
If Diana Parrott, the office manager, becomes incapacitated or perishes, Waycross will make every best effort to immediately fill the position of office manager. In the interim, the operations manager, Anne Young, will fill the position. The office manager will have administrative manuals to refer to if such an event occurs, so that Waycross may continue its operations, business as usual.
Waycross Disaster Recovery Plan
9/24/2014 Version 2
Table of Contents Introduction ............................................................................................................................................................ 3
Purpose .................................................................................................................................................................... 3
Scope ....................................................................................................................................................................... 3
Version Information & Changes ............................................................................................................................... 3
Disaster Recovery Teams & Responsibilities .......................................................................................................... 4
Disaster Recovery Lead ........................................................................................................................................... 4
Disaster Management Team .................................................................................................................................... 5
Network Team .......................................................................................................................................................... 6
Server Team ............................................................................................................................................................. 7
Applications Team .................................................................................................................................................... 7
Operations Team ...................................................................................................................................................... 8
Senior Management Team ....................................................................................................................................... 9
Disaster Recovery Call Tree................................................................................................................................... 9
Data and Backups .................................................................................................................................................. 10
Communicating During a Disaster ........................................................................................................................ 10
Communicating with the Authorities ....................................................................................................................... 10
Communicating with Employees ............................................................................................................................ 11
Communicating with Clients ................................................................................................................................... 11
Communicating with Vendors ................................................................................................................................. 12
Dealing with a Disaster ........................................................................................................................................ 12
Disaster Identification and Declaration ................................................................................................................... 12
DRP Activation ....................................................................................................................................................... 13
Communicating the Disaster .................................................................................................................................. 13
Assessment of Current and Prevention of Further Damage .................................................................................. 13
Standby Facility Activation ..................................................................................................................................... 14
Restoring IT Functionality ....................................................................................................................................... 14
Restoring IT Functionality ..................................................................................................................................... 14
Current System Architecture .................................................................................................................................. 14
IT Systems.............................................................................................................................................................. 14
Plan Testing & Maintenance................................................................................................................................. 14
Maintenance ........................................................................................................................................................... 14
Testing .................................................................................................................................................................... 15
3
Introduction
This Disaster Recovery Plan (DRP) captures, in a single repository, all of the information that describes Waycross Investment Management Company’s (herein after referred to as “Waycross”) ability to withstand a disaster as well as the processes that must be followed to achieve disaster recovery.
Purpose
Note that in the event of a disaster the first priority of Waycross is to prevent the loss of life. Before any secondary measures are undertaken, Waycross will ensure that all employees, and any other individuals on the organization’s premises, are safe and secure. After all individuals have been brought to safety, the next goal of Waycross will be to enact the steps outlined in this DRP to bring all of the organization’s groups and departments back to business-as-usual as quickly as possible. This includes:
• Preventing the loss of the organization’s resources such as hardware, data and physical IT assets
• Minimizing downtime related to IT • Keeping the business running in the event of a disaster
This DRP document will also detail how this document is to be maintained and tested.
Scope
The Waycross DRP takes all of the following areas into consideration: • Network Infrastructure • Servers Infrastructure • Telephone System • Data Storage and Backup Systems • Database Systems • IT Documentation
This DRP does not take into consideration any non-IT, personnel, Human Resources and real estate related disasters. For any disasters that are not addressed in this document, please refer to the business continuity plan created by Waycross.
Version Information & Changes
Any changes, edits and updates made to the DRP will be recorded in here. It is the responsibility of the Disaster Recovery Lead to ensure that all existing copies of the DRP are up to date.
4
Whenever there is an update to the DRP, Waycross requires that the version number be updated to indicate this.
Name of Person Making Change
Role of Person Making Change
Date of Change
Version Number
Notes
Diana Parrott Office Manager
9/26/14 2
Disaster Recovery Teams & Responsibilities
In the event of a disaster, different groups will be required to assist in the effort to restore normal functionality to the employees of Waycross. The different groups and their responsibilities are as follows:
• Disaster Management Team
The lists of roles and responsibilities in this section have been created by Waycross and reflect the likely tasks that team members will have to perform. Disaster Recovery Team members will be responsible for performing all of the tasks below. In some disaster situations, Disaster Recovery Team members will be called upon to perform tasks not described in this section.
Disaster Recovery Lead
The Disaster Recovery Lead is responsible for making all decisions related to the Disaster Recovery efforts. This person’s primary role will be to guide the disaster recovery process and all other individuals involved in the disaster recovery process will report to this person in the event that a disaster occurs at Waycross, regardless of their department and existing managers. All efforts will be made to ensure that this person be separate from the rest of the disaster management teams to keep his/her decisions unbiased; the Disaster Recovery Lead will not be a member of other Disaster Recovery groups in Waycross.
5
Role and Responsibilities
• Make the determination that a disaster has occurred and trigger the DRP and related processes.
• Initiate the DR Call Tree. • Be the single point of contact for and oversee the DR Team.
Contact Information
Name Role/Title Work Phone
Number Home Phone
Number Mobile Phone
Number
David Schneider Primary Disaster Lead 360.671.0148 360.778.1731 503.949.8011
Disaster Management Team
The Disaster Management Team that will oversee the entire disaster recovery process. They will be the team that will need to take action in the event of a disaster. This team will evaluate the disaster and will determine what steps need to be taken to get the organization back to business as usual.
Role & Responsibilities
• Set the DRP into motion after the Disaster Recovery Lead has declared a disaster • Determine the magnitude and class of the disaster • Determine what systems and processes have been affected by the disaster • Keep a record of money spent during the disaster recovery process • Ensure that all decisions made abide by the DRP and policies set by Waycross • Create a detailed report of all the steps undertaken in the disaster recovery process • Notify the relevant parties once the disaster is over and normal business functionality has
been restored • After Waycross is back to business as usual, this team will be required to summarize any
and all costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster
Contact Information
Name Role/Title Work Phone
Number Home Phone
Number Mobile Phone
Number
6
Anne Young Operations Manager 360.671.0148 N/A 253.335.8419
Diana Parrott Office Manager 360.671.0148 360.922.7499 360.296.1970
Network Team
The Network Team will be responsible for assessing damage specific to any network infrastructure and for provisioning data and voice network connectivity including WAN, LAN, and any telephonic connections internally within the enterprise as well as telephony and data connections with the outside world. They will be primarily responsible for providing baseline network functionality and may assist other IT Teams as required or necessary.
Role & Responsibilities
• If multiple network services are impacted, the team will prioritize the recovery of services in the manner and order that has the least business impact.
• If network services are provided by third parties, the team will communicate and co-ordinate with these third parties to ensure recovery of connectivity.
• Once critical systems have been provided with connectivity, employees will be provided with connectivity in the following order:
o All members of the DR Teams o All remaining employees
• Install and implement any tools, hardware, software and systems required in the primary facility
• After Waycross is back to business as usual, this team will be summarize any and all costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster
Contact Information
Name Role/Title Work Phone
Number Home Phone
Number Mobile Phone
Number
Anne Young Operations Manager 360.671.0148 N/A 253.335.8419
Diana Parrott Office Manager 360.671.0148 360.922.7499 360.296.1970
7
Server Team
The Server Team will be responsible for providing the physical server infrastructure required for the enterprise to run its IT operations and applications in the event of and during a disaster. They will be primarily responsible for providing baseline server functionality and may assist other IT Teams as required or necessary.
Role & Responsibilities
• If multiple servers are impacted, the team will prioritize the recovery of servers in the manner and order that has the least business impact. Recovery will include the following tasks:
o Assess the damage to any servers o Restart and refresh servers if necessary
• Install and implement any tools, hardware, and systems required in the primary facility • After Waycross is back to business as usual, this team will be summarize any and all
costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster
Contact Information
Name Role/Title Work Phone
Number Home Phone
Number Mobile Phone
Number
Anne Young Operations Manager 360.671.0148 N/A 253.335.8419
Diana Parrott Office Manager 360.671.0148 360.922.7499 360.296.1970
Applications Team
The Applications Team will be responsible for ensuring that all enterprise applications operate as required to meet business objectives in the event of and during a disaster. They will be primarily responsible for ensuring and validating appropriate application performance and may assist other IT Teams as required.
Role & Responsibilities
• If multiple applications are impacted, the team will prioritize the recovery of applications in the manner and order that has the least business impact. Recovery will include the following tasks:
o Assess the impact to application processes
8
o Restart applications as required • Install and implement any tools, software and patches required in the primary facility • After Waycross is back to business as usual, this team will be summarize any and all
costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster
Contact Information
Name Role/Title Work Phone
Number Home Phone
Number Mobile Phone
Number
Anne Young Operations Manager 360.671.0148 N/A 253.335.8419
Diana Parrott Office Manager 360.671.0148 360.922.7499 360.296.1970
Operations Team
This team’s primary goal will be to provide employees with the tools they need to perform their roles as quickly and efficiently as possible. They will need to provision all Waycross employees working from home with the tools that their specific role requires.
Role & Responsibilities
• Ensure sufficient spare computers and laptops are on hand so that work is not significantly disrupted in a disaster
• If insufficient computers/laptops or related supplies are not available the team will prioritize distribution in the manner and order that has the least business impact
• After Waycross is back to business as usual, this team will be required to summarize any and all costs and will provide a report to the Disaster Recovery Lead summarizing their activities during the disaster
Contact Information
Name Role/Title Work Phone
Number Home Phone
Number Mobile Phone
Number
Anne Young Operations Manager 360.671.0148 N/A 253.335.8419
Diana Parrott Office Manager 360.671.0148 360.922.7499 360.296.1970
9
Senior Management Team
The Senior Management Team will make any business decisions that are out of scope for the Disaster Recovery Lead. Decisions such as constructing a new data center, relocating the primary site etc. should be made by the Senior Management Team. The Disaster Recovery Lead will ultimately report to this team.
Role & Responsibilities
• Ensure that the Disaster Recovery Team Lead is held accountable for his/her role • Assist the Disaster Recovery Team Lead in his/her role as required • Make decisions that will impact the company. This can include decisions concerning:
o Rebuilding of the primary facilities o Significant hardware and software investments and upgrades o Other financial and business decisions
Contact Information
Name Role/Title Work Phone
Number Home Phone
Number Mobile Phone
Number
Michael Ryan President 360.671.0148 360.671.8376 360.319.8350
L. Hart Hodges Vice President 360.671.0148 360.527.3300 360.927.6013
Disaster Recovery Call Tree
In a disaster recovery or business continuity emergency, time is of the essence so Waycross will make use of a Call Tree to ensure that appropriate individuals are contacted in a timely manner.
• The Disaster Recovery Team Lead calls all Level 1 Members (Green cells) • Level 1 members call all Level 2 team members over whom they are responsible (Blue
cells)
Contact Office Mobile Home
DR Lead
David Schneider 360.671.0148 503.949.8011 360.778.1731
DR Management Team 1 360.671.0148 360.319.8350 360.671.8376
10
Michael Ryan
DR Management Team 2
L. Hart Hodges 360.671.0148 360.927.6013 360.527.3300
Network/Communications Team
Anne Young 360.671.0148 253.335.8419 N/A
Network/Communications Team
Diana Parrott 360.671.0148 360.296.1970 360.922.7499
Data and Backups
This section explains where all of the organization’s data resides as well as where it is backed up to. Use this information to locate and restore data in the event of a disaster.
Data in Order of Criticality
Rank Data Data Type Back-up
Frequency Backup Location(s)
1 Network Drives Confidential Daily I-Backup Servers & Google Drive
2 Client Files Confidential Daily I-Backup Servers & Google Drive
3 Administrative Files Confidential Daily I-Backup Servers & Google Drive
4
5
Communicating During a Disaster
In the event of a disaster, Waycross will need to communicate with various parties to inform them of the effects on the business, surrounding areas and timelines. The Communications Team will be responsible for contacting these parties.
Communicating with the Authorities
The Communications Team’s first priority will be to ensure that the appropriate authorities have been notified of the disaster, providing the following information:
• The location of the disaster • The nature of the disaster
11
• The magnitude of the disaster • The impact of the disaster • Assistance required in overcoming the disaster • Anticipated timelines
Authorities Contacts
Authorities Point of Contact Phone Number
Police Department Dispatch 911
Fire Department Dispatch 911
Communicating with Employees
Waycross’ second priority will be to ensure that the entire company has been notified of the disaster. The best and/or most practical means of contacting all of the employees will be used in concordance with the DR Call Tree. The employees will need to be informed of the following:
• Whether it is safe for them to come into the office • Where they should work remotely if they cannot come into the office • Which services are still available to them • Work expectations of them during the disaster
Communicating with Clients
After all of the organization’s employees have been informed of the disaster, the Communications Team will be responsible for informing clients of the disaster and the impact that it will have on the following:
• Anticipated impact on service offerings • Anticipated impact on delivery schedules • Anticipated impact on security of client information • Anticipated timelines
All clients will be made aware of the disaster situation first. All clients will be E-mailed first, if that function is available, or then called via telephone.
12
Communicating with Vendors
After all of the organization’s employees have been informed of the disaster, the Communications Team will be responsible for informing vendors of the disaster and the impact that it will have on the following:
• Adjustments to service requirements • Adjustments to contact information • Anticipated timelines
Crucial vendors will be made aware of the disaster situation first. Crucial vendors will be E-mailed first but if that service is not available, they will be called via telephone. Crucial vendors are those vendors outlined in Waycross’ Business Continuity Plan (BCP). All other vendors will be contacted only after all crucial vendors have been contacted.
Dealing with a Disaster
If a disaster occurs in Waycross, the first priority is to ensure that all employees are safe and accounted for. After this, steps must be taken to mitigate any further damage to the facility and to reduce the impact of the disaster to the organization. Regardless of the category that the disaster falls into, dealing with a disaster can be broken down into the following steps:
1) Disaster identification and declaration 2) DRP activation 3) Communicating the disaster 4) Assessment of current and and prevention of further damage 5) Repair and rebuilding of primary facility
Disaster Identification and Declaration
Since it is almost impossible to predict when and how a disaster might occur, Waycross must be prepared to find out about disasters from a variety of possible avenues. These can include:
• First hand observation • System Alarms and Network Monitors • Environmental and Security Alarms in the Primary Facility • End users • 3rd Party Vendors • Media reports
Once the Disaster Recovery Lead has determined that a disaster had occurred, s/he must officially declare that the company is in an official state of disaster. It is during this phase that the
13
Disaster Recovery Lead must ensure that anyone that was in the primary facility at the time of the disaster has been accounted for and evacuated to safety according to the company’s Evacuation Policy. While employees are being brought to safety, the Disaster Recovery Lead will instruct the Communications Team to begin contacting the Authorities and all employees not at the impacted facility that a disaster has occurred.
DRP Activation
Once the Disaster Recovery Lead has formally declared that a disaster has occurred s/he will initiate the activation of the DRP by triggering the Disaster Recovery Call Tree. The following information will be provided in the calls that the Disaster Recovery Lead makes and should be passed during subsequent calls:
• That a disaster has occurred • The nature of the disaster (if known) • The initial estimation of the magnitude of the disaster (if known) • The initial estimation of the impact of the disaster (if known) • The initial estimation of the expected duration of the disaster (if known) • Any other pertinent information
If the Disaster Recovery Lead is unavailable to trigger the Disaster Recovery Call Tree, that responsibility shall fall to the Disaster Management Team Lead
Communicating the Disaster
Refer to the “Communicating During a Disaster” section of this document.
Assessment of Current and Prevention of Further Damage
Before any employees from Waycross can enter the primary facility after a disaster, appropriate authorities must first ensure that the premises are safe to enter. The first team that will be allowed to examine the primary facilities once it has been deemed safe to do so will be the Management Team. Once the Management Team has completed an examination of the building and submitted its report to the Disaster Recovery Lead, all additional teams will be allowed to examine the building. All teams will be required to create an initial report on the damage and provide this to the Disaster Recovery Lead within 72 hours of the initial disaster. During each team’s review of their relevant areas, they must assess any areas where further damage can be prevented and take the necessary means to protect Waycross’ assets. Any
14
necessary repairs or preventative measures must be taken to protect the facilities; these costs must first be approved by the Management Team.
Standby Facility Activation
The Standby Facility is outlined in Waycross’ Business Continuity Plan. There is not currently a Standby Facility. All Staff will work remotely from home until such time a new Primary Facility is secured, if needed.
Restoring IT Functionality
Refer to the “Restoring IT Functionality” section of this document.
Restoring IT Functionality
Should a disaster actually occur and Waycross need to exercise this plan, this section will be referred to frequently as it will contain all of the information that describes the manner in which Waycross’ information system will be recovered.
Current System Architecture
IT Systems
Rank
IT System System Components (In order of importance)
1 Waycross Server Hardware, Software
2 QED Server Hardware, Software
3 Workstations/Laptops Hardware, Software
4 Internet Access
Plan Testing & Maintenance
While efforts will be made initially to construct this DRP is as complete and accurate a manner as possible, it is essentially impossible to address all possible problems at any one time. Additionally, over time the Disaster Recovery needs of the enterprise will change. As a result of these two factors this plan will need to be tested on a periodic basis to discover errors and omissions and will need to be maintained to address them.
Maintenance
The DRP will be updated yearly or any time a major system update or upgrade is performed, whichever is more often. The Disaster Recovery Lead will be responsible for updating the entire
15
document, and so is permitted to request information and updates from other employees within the organization in order to complete this task. Maintenance of the plan will include (but is not limited to) the following:
1. Ensuring that call trees are up to date 2. Ensuring that all team lists are up to date 3. Reviewing the plan to ensure that all of the instructions are still relevant to the
organization 4. Making any major changes and revisions in the plan to reflect organizational shifts,
changes and goals 5. Ensuring that the plan meets any requirements specified in new laws 6. Other organizational specific maintenance goals
During the Maintenance periods, any changes to the Disaster Recovery Teams must be accounted for. If any member of a Disaster Recovery Team no longer works with the company, it is the responsibility of the Disaster Recovery Lead to appoint a new team member.
Testing
Waycross is committed to ensuring that this DRP is functional. The DRP should be tested every year in order to ensure that it is still effective. Testing the plan will be carried out as follows: Walkthroughs- Team members verbally go through the specific steps as documented in the plan to confirm effectiveness, identify gaps, bottlenecks or other weaknesses. This test provides the opportunity to review a plan with a larger subset of people, allowing the DRP project manager to draw upon a correspondingly increased pool of knowledge and experiences. Staff should be familiar with procedures, equipment, and offsite facilities.
1) Simulations- A disaster is simulated so normal operations will not be interrupted. Hardware, software, personnel, communications, procedures, supplies and forms, documentation, transportation, utilities, and alternate site processing should be thoroughly tested in a simulation test. However, validated checklists can provide a reasonable level of assurance for many of these scenarios. Analyze the output of the previous tests carefully before the proposed simulation to ensure the lessons learned during the previous phases of the cycle have been applied.
Any gaps in the DRP that are discovered during the testing phase will be addressed by the Disaster Recovery Lead as well as any resources that he/she will require.